Skillset

Every single time that I’m in front of a group of clients to talk about the “New” things that are happening in End User Computing, I start by asking a simple but effective question to open my session: How many devices are you carrying today? The answer lies between 2 or more devices. This is a very clear way to prove that we live in a mobile world that expects a very quick response from us. We live surrounded by products and solutions to make this happen that let us accomplish that pace of life. End users are used to consume applications and services at any time and from any location, this creates high expectations in the workplace and this is something that impacts IT in many ways. Users want to keep the same type of access to services and data at work as they do in their daily life.

If we take time to remember how applications were delivered in the past (something that continues to apply today) and how it has been changing slowly, we can go back to the time where Terminal Services, client-server apps, and other methods were the way to achieve a flexible and scalable way to deliver services to our end users, but in many cases they do not fit well in this mobile era. The IT department lives under the pressure to integrate the services that they provide to a world of “mobile” users, they finally need to add to their managed endpoints and technologies like the mobile devices that the end users are carrying to work with them. So now, they do not only manage Desktops and laptops mainly based on Windows OS, today they are facing a new challenge… Manage other OSs and devices (think about IOS, Android, etc) in terms of support, patches, upgrades, security and so on.

Post–PC era

The increase in sales of mobile devices versus PCs has shown a very clear trend, the end user computing is changing. This has been demonstrated in many studies and researches by very important firms like Gartner and IDC where we can find numbers like an increase of 67.9% in sales for tablets this year while there is forecasted decrease of 10.6% in sales for PCs (Desktop & Laptop). The term “Post–PC Era” refers precisely to this, the increase of mobile devices (tablets & mobile phones) being shipped and used by end users instead of PCs.

Besides mobile devices, it is very important to note how the app developments are moving towards an “agnostic” platform. In other words, many of today’s apps are multi platform and are not only intended for Windows OSs so the same app & user experience can be delivered on many types of devices and OSs.

Many will think that our users have been “spoiled” by the cloud, but let’s be honest, is this true? Or is this something that is inevitable? I mean, if we take a look at how users consume applications, data, and overall services on their daily basis, it is very clear that everything is “easy” to consume and interact with. One clear example of this is services that provide “cloud storage” where we can share files with our family, friends and co-workers and the most interesting thing is that we can leverage most of the mobile devices and PCs to consume this type of services… the only thing we need is internet access! But hold on… what’s the problem here? As we get more and more used to work with this kind of flexibility, our expectations are also carried with us to work and this impacts IT.

Bring Your Own Device

The term “Bring Your Own Device” was first mentioned back in 2004 in a paper by Ballagas et al., at UBICOMP and in later years it became increasingly used by companies like Intel, VMware, Citrix, etc. BYOD refers to users bringing their devices to their workplace and corporate network, sometimes this is sponsored by the companies (even create some strategies to fund some % of the device) but not all the time this is true, in other occasions it is a slow process and a painful road to adapt and embrace this BYOD model by IT. This term is not new or totally created by a marketing strategy, If we take a look on how mobile devices are being used nowadays by end users in their personal lives and work, it is easy to determine that this will not change and we must adapt to it (“WE as “IT”). BYOD has a lot of benefits like user satisfaction (generally leads to a more productive environment), costs reductions in terms of hardware and software licensing, etc. Users today have access to their device of choice and there is usually one them that feels more comfortable to work with apps & services on the “cloud”, access to their data anywhere and collaboration tools. BYOD is also adopted by Education entities where students bring with them their laptops, tablets and so on.

Life is not a bowl of cherries

CIOs, IT Managers, etc, have realized the benefits that this BYOD strategy brings to their corporations and how services are consumed. But they are also aware of the downsides and tradeoffs that arise with this. Let’s take a look at some points:

Rogue IT – devices that are not managed by IT, as an example we have the mobile phones. This creates complexity to control and management of the endpoints that are using the corporate network and services.

Applications– IT needs to deliver and maintain the services to the new devices that are on the corporate network. This leads to a complexity mainly created by the “silos” that are the result of different OSs, Applications, hardware, etc. This represents a challenge to keep the patching and upgrades for the apps to be compatible with the devices used by the end users.

Security, authentication and authorization – Letting these new devices allow access to the corporate data and services is a big challenge in terms of security and confirmation of the user’s identity.

End user experience – we must be able to provide the end user with a common interface to access the different services and applications independently of the device they are using. Let’s remember that EUC is mainly about end user experience, they do not like or want complex solutions, let’s keep it simple.

It is important to note that in order to have a successful BYOD strategy, like most of the companies, is to create a set of policies to define supported devices to access the corporate network. In this set of policies, they also define what kind of security must be used by this users and also if the user is entitled to work this way. Not all use cases can be accomplished in this BYOD strategy, an example can be the need to comply with industry standards like PCI DSS, although it is not impossible to do it, it may require many considerations.

How VMware Horizon Suite can help

Now it is time to take an overall look on how VMware can help us to deliver a better end user computing and achieve a BYOD strategy. Keep in mind that this is just a brief look at VMware’s EUC portfolio, as this article is the first of the series. We will take a technical deep dive for each product in future articles of the series.

VMware Horizon View

Formerly called VMware View, this is the VDI (Virtual Desktop Infrastructure) offering from VMware. The latest version at the time of writing this article is 5.2 and there are many interesting features offered by Horizon View 5.2. Let’s talk about VDI briefly and what it is all about.

Virtual Desktop Infrastructure is a way to deliver a desktop (Windows based) to end users. It is very important to note that it is not the same as a terminal service (now called RDS) session that shares the same OS, but there are different unique sessions per user. In this case, the whole OS is used by one user only. VDI offers a lot a benefits, like improved security (although there are many considerations), better utilization of resources, OPEX savings, hardware reutilization, CAPEX reduction, etc.

VDI works by executing the Desktop as a virtual machine in a datacenter, this virtual machine is a “process” inside a physical server that has an hypervisor installed to logically abstract and control the hardware (think about ESXi, Hyper–V, XenServer, etc.) so the desktop never leaves the datacenter (only if it is intended to be used also as an “offline” mode). The user’s sessions occur via remote display protocol like, RDP, HDX, PCoIP, etc. What is being sent over this session is mainly the display image and peripheral devices. Every session must be managed by a broker that receives the session request by the end user, authenticates the user and creates the session between the endpoint and the Virtual Desktop.

Now let’s take a look at Horizon View’s architecture:

The first benefit of Horizon View against its competition is simplicity. The whole architecture is managed by just two management interfaces, one for the virtual infrastructure (VMware vCenter) and the other for the virtual desktops (Horizon View Manager).

Horizon View leverages a remote display protocol called PCoIP that was developed by Teradici. This protocol is UDP based and optimized for WAN environments. The main difference Vs other protocols is that this is not a lossy protocol (although in certain environments we can change this to save bandwidth) so it delivers the best quality end user experience from many types of devices like IPADs, Android based mobile phones & tablets, zero clients, thin clients, etc. In Horizon View 5.2, there is the ability to deliver a desktop session via HTML5, so any device that can run a supported web browser now can get access to a Windows desktop.

Horizon View offers a very interesting technology called Horizon View Composer. This technology leverages “linked clones” to fast provision desktops from a master image thus greatly improves the time to provision many desktops and reduces the storage needed but the most important thing is that it reduces the time to manage desktop images, apps, etc. because any change is applied to the master image and then you can “replicate” this changes to the linked clones through an operation called “recompose” without losing user data and configuration.

Horizon View offers secure access to desktop sessions outside the corporate LAN (DMZ, WAN) with a server that creates secure tunnels between the endpoint and the virtual desktop in the datacenter. PCoIP is, by default, encrypted with AES-128 so the session is secured even when the user is working in the corporate LAN. Horizon View offers two-way authentication and it works with Microsoft Active Directory to provide users, groups and policies.

ThinApp application virtualization helps by “virtualizing” the applications so we will be able to run them on different versions of OSs. Think about a legacy application that works fine with IE6 but when you try to access this web app using an IE8 it stops working. Wouldn’t it be nice to be able to run both IE8 and IE6 on the same OS without any problem? ThinApp let us accomplish this by encapsulating all the required data, libraries, registry entries, etc. so we can run both applications and they do not interact with the underlying operating system.

So how does this fit on a BYOD strategy? It’s easy; we can provide our end users with a desktop no matter what type of device they are using so they can always work with their corporate apps, data and services using their personal mobile devices.

VMware Horizon Workspace

Horizon Workspace let us create a centralized app and services catalog where the end users can get their desktops sessions, data services and applications on any device.

There are two ways to access work space, first is the web portal and the other is a native application depending on the OS used by the endpoint (Android, IOS, and Windows).

Horizon Workspace delivers a centralized data repository for our users where they can share files with other users, pre visualize the files, create public link to the files, etc. This service enables a true corporate file sharing service with the capability of applying policies, quotas, two-factor authentication, etc.

Then we have the application catalog, where we can offer our end users SaaS applications, web based apps, Windows based apps via ThinApp application virtualization and mobile apps. This App catalog lets the IT department able to manage the apps on a centralized way, any change or upgrade to the application is done in this catalog.

The last service is a Horizon View desktop session; we can give our end users the ability to access their desktops through this centralized catalog of services. They can choose between two display protocols, PCoIP (leveraging a local Horizon View client) or Blast protocol (HTML5) through a supported browser (shown in the image below).

VMware Horizon Mirage

Horizon Mirage extends many VDI capabilities to the physical world by a central management of desktop images with a “layered” approach, letting us modify the OS without an impact on existing apps (both user installed and IT installed) and user data.

Horizon Mirage works by breaking up logically an end user desktop or laptop, which creates “layers”. These layers are stored on the datacenter. We can use specific layers with a set of apps, drivers, user data, etc.

When there is a need to update an application or group of applications, the IT personnel will just have to change the layer with the new one that contains the required version of the app, or the new version of the OS, etc. Any change made on a layer is pushed to the clients using a client that runs locally on that managed end point and it downloads the required changes then applies them and then asks for a reboot (in case there is a need for one). The reboot is not mandatory so the change can wait to be fully applied when user shuts down their PC or as a scheduled task.

Let’s take a look at a use case, single image management but different set of applications per department:

As we can see, the base image (Windows 7, AV & common apps) is shared among all the departments. IT just needs to change an application layer to apply the specific applications required by each department.

Other very interesting feature is the ability to take “snapshots” of the current state of a desktop. This can help get back in time in case on a virus or malware infection, a deleted file, corrupted data or broken apps.

Stay tuned for my next articles where I’m going to take a technical deep dive in each product!

Agustín Malanco (@agmalanco) - VCP-DCV 3,4,5, VCAP4/5-DCA, VCAP4/5-DCD, VCAP5-CID/CIA, VCAP5-DTD , VCP4/5-DT, VCP-Cloud. he has been working with VMware's technologies for almost 7 years, he has worked in various fields, from consulting, support, to training. Agustín has it's own blog (blog.hispavirt.com) he has been recognized as vExpert2011,2012 & 2013 for his contributions to the community.

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam